// Glossary · compliance

BAA (Business Associate Agreement)

Also: business associate agreement · HIPAA BAA

HIPAA contract between a covered entity (healthcare provider, payer) and a business associate (vendor handling PHI). Required before any PHI-touching workflow can begin.

A Business Associate Agreement is the contract HIPAA requires between a covered entity (a healthcare provider, health plan, or clearinghouse) and any vendor that creates, receives, maintains, or transmits Protected Health Information on the covered entity behalf. The BAA legally binds the vendor to the same HIPAA safeguards the covered entity itself is required to follow. Without a signed BAA in place, sending PHI to a vendor is itself a HIPAA violation, regardless of whether the vendor handles the data securely. The agreement is the legal infrastructure that lets PHI move between organizations at all.

For any AI vendor selling into healthcare, the BAA is the gate to the deal. A covered entity cannot adopt a tool that touches patient data without first executing a BAA with the vendor. Many AI tools that work in adjacent verticals fail in healthcare because the underlying infrastructure (OpenAI, Anthropic, Pinecone, etc.) either does not offer BAAs at the relevant tier or offers them only on enterprise contracts that small vendors cannot afford. The vendors that win healthcare deals are the ones who pre-negotiated BAAs with every layer of their stack, paired with HIPAA-compliant AI architecture and a SOC 2 report.

The standard BAA covers permitted uses of PHI, required safeguards (administrative, physical, technical), breach notification obligations, subcontractor flow-down requirements, and termination conditions. Real-world BAAs vary in how prescriptive they are about specific controls. Large health systems often require detailed addendums covering encryption standards, audit log requirements, and data residency. Small clinics may accept a standard form BAA without modification. The AI Ops Department handles the operational layer of BAA tracking, ensuring every vendor in the stack has a current signed agreement and that subcontractor flow-downs are documented for audit.

// Examples
  • A healthcare SaaS pre-negotiates BAAs with OpenAI (enterprise tier), AWS, and Pinecone before going to market, cutting average enterprise deal time from 14 weeks to 5 once procurement starts.
  • A telehealth platform discovers in audit that a marketing analytics vendor was processing patient session metadata without a BAA. Triggers breach disclosure and a vendor swap.
  • A clinical decision support startup loses a Series A deal because their LLM provider only offered BAAs at a $50K enterprise tier, blocking access to a major health system pilot.
// Common questions
Who needs to sign a BAA?
Any vendor that handles PHI on behalf of a covered entity. This includes cloud hosting providers, email services, analytics tools, AI providers, and any subcontractor that touches the data. The covered entity is required to have BAAs with all of them, and the vendors are required to flow down BAA obligations to their own subcontractors.
What happens without a BAA in place?
Sending PHI to the vendor is itself a HIPAA violation by the covered entity, even if the vendor handles the data securely. Penalties can run from $100 to $50,000 per record disclosed, depending on the level of negligence. The Office for Civil Rights can also publish breach disclosures publicly, which damages the covered entity reputation alongside the financial penalty.
Do all AI vendors offer BAAs?
No. Many consumer-tier AI APIs explicitly disclaim PHI use in their terms. OpenAI, Anthropic, and Google offer BAAs but only on enterprise contracts. Self-hosted or [local LLM](/glossary/local-llm) deployments often avoid the BAA gate entirely because the data never leaves the covered entity infrastructure. Vendor selection for healthcare AI starts with BAA availability, not features.
How long does it take to get a BAA signed?
Varies from days to months. Small clinics often sign standard form BAAs within a week. Large health systems run multi-month legal review cycles and require specific addendums. The vendors that move fastest in healthcare sales pre-negotiate BAA templates with their full stack so the customer-facing legal review is the only gate, not five upstream gates.
// Related terms
// Ready to ship?

EOI runs fractional AI departments for funded teams under 50. Sales, Content, Ops, Support. Live in 14 days on a monthly retainer.

Apply for a sprint See all departments